[SecurityRatty] tag: geekonomics

Live Blogging from GOVCERT.NL 2008 - David Rice Speaking

Mon, 15 Sep 2008 20:40:00 +0000

So, David Rice of "Geekonomics" fame is speaking; the content is pretty much the same as the book, but he sure can speak! :-) [see my review of the book here]

The message is the same: cybercrime is due to bad software; market motivates people to create bad software ("don't worry - be crappy" idea); market will fail to create secure software, etc.

Result? The 0wned world.

So, how to you make insecure software MORE expensive to create than secure software? Laws? Insurance? What else will help? Only time will tell...

Evil BETAs Attack!

Mon, 30 Jun 2008 13:45:00 +0000

Read this awesome "The BETA Mindset: Public Enemy #1 " piece from Mike R (BTW, it is a MUST-read). The maybe refresh on what I said after reading "Geekonomics." Then think!

Yes, it is available today (as beta maybe - but then again "all software is beta").
Yes, it is free.
Yes, it works ... well, when it does.
Yes, you can trust, say, your email to it (who cares when it is made public, really! :-))

And then the same programmer mindset trickles up to the software that controls your aircraft engine.

Boom!

That WAS you.

The more I think about it, the more I like the idea of software manufacturers' liability (succinctly described in "Geekonomics"); I suspect that everything bad that might come with it will probably still be better than what we have now (or will have soon...)

It Changed My Life: My Review of "Geekonomics"

Thu, 05 Jun 2008 13:53:00 +0000

As I am sitting here - yes, you guessed right! - on a plane, I cannot stop thinking about the book "Geekonomics"(book site) which I just finished reading (earlier impressions here and here). The way it ends, BTW, just kicks you in the balls, hard (look up what Mr Petrov did on Sept 26, 1983 and why, if you are already curious)!

Call me easily impressible, call me naive, darn, call me "out of touch with current security issues," but this book struck a major, major chord with me. It really did.

Now, I have experienced as much poor quality and insecure software as the next guy. I am never ever surprised about some feature in MS Office (or other application, really) just flat out not working or not working as expected or not working every time.

I suspect that, by now, every human on Earth who ever laid their hands on a computer knows:

software = might NOT work.

Now, we expect roads, bridges, toasters, chainsaws, bicycles, cars (until they put software in them...) to work and work they do. And if they don't - the company who manufactures them usually makes them work for us fast - or goes away, cut down by the "benevolent" axe of capitalism. Now, software is totally different (my thinking about this one).

And everybody knows it. But nobody was brave enough to take a hard look at this and analyze how that simple fact affected, affects and will affect our society. And, for my extra-paranoid readers: "... and how it might end that very society."

Until "Geekonomics!"

This book might not reveal any secrets about how software works to an IT professional (it will reveal how law works though!), but it will explain why bad software is everywhere, why we are stuck with it, why it will not improve by itself and - sorry for a hysterical note here! - how we might all fucking die because of it. It then unemotionally predicts why more people will certainly die because of bad software. It studies the complicated dynamics of today's software market such as who is more at fault for bad software - buyers who agree to buy or vendors who make it (or both). It also suggests that many of today's regulations and compliance "thingies" are a little misguided (e.g. in a battle a PCI DSS-compliant enterprise and a 0-day-wielding hacker, any sane person will bet on an 0-day). It is also very well-written; it won't bore an experienced IT or security pro and it will not overwhelm a mere IT user.

First, it explains why the software is the "foundation of our civilization" today, and how it will be more so in the future. Next, it casts a look at "innovation" and ponders how innovation-driven software development relates to the fact that users don't touch 90% of features of a typical software. In the third chapter is presents the view of the "0wned world" where "only the stupid [cybercriminals] get caught." Next chapters looks at how government oversight works in other areas (e.g. FDA), how it might work - and how it might fail (and did fail in the past). While doing it, the book dispels the "government will just make it worse" myth (basically, because some things are really bad and quickly streaming towards worse already). The amazing chapter 5 gives the clearest explanation of litigation (torts, etc) that I have ever seen (the book is worth reading just for chapter 5 alone!). Chapter 6 takes a super-pessimistic look at open-source software (no comment - just read it). Finally, several possible future - "the way forward" - is discussed.

Another thing I would like to mention about this book is that a reader should keep in mind that it is not about "insecure" software: it is about bad quality, unsafe software in general and less about "hackable" software. The author chose to not make this distinction very clear, perhaps on purpose.

So, everybody in software business, security business - in fact, just everybody who uses a computer - MUST READ THIS BOOK! Seriously, understanding the point made there might be a matter of life or death for some (all?) of us.

As a conclusion, if you want the visual image of the future to end my review, here it is: it is not "Terminator" future (where machines kill people out of evil) that we must fear and work to prevent, but "Robocop" future (where they do due to software bugs).

Go read the darn book! And support liability for software manufactures. Also, in a few days, check this out (not yet but hover over the link to get a preview...)

Technorati tags: book review, security, geekonomics

Paranoia Acting Up or Just Being Reasonable?

Wed, 28 May 2008 09:37:00 +0000

I am still reading "Geekonomics" and - honestly! - I cannot handle more than 10-20 pages at a time since I develop a rage and start looking for a software developer to kill :-) If you need a reminder about how fragile the foundations of our civilization are, go read the book!

So, is there any public bodycount of people killed by bad (low quality OR insecure) software? All those robot gun victims, runaway robot trans, PC-controlled radiation therapy equipment? It's got to be in the hundreds by now... I thought RISKS list was doing it, but I can't find it.

On Geekonomics

Mon, 21 Apr 2008 16:26:00 +0000

I am sitting in hotel here in San Antonio, TX (I presented at TRISC 2008 today - it sure was fun!) reading "Geekonomics" (can't work - I have a bit of a flu), provided by my friends from Addison-Wesley.

And you know what? The darn thing is turning me into a software liability advocate (like Bruce Schneier) - I really need to resist that ... :-)

Seriously, I just read another 10 pages and I am already thinking "Some say that if we have software liability, we will lose open source... this is kinda bad ... but such is life" :-(

Somebody please save me this train of thought :-)

Inside the black market 'bug trade'

Wed, 09 Apr 2008 20:00:00 +0000

The black market for software vulnerabilities is booming, with bugs regularly being sold for thousands of dollars a piece online. And one of the only ways to reduce this steady stream of hacks, according to Geekonomics author and IT security pro David Rice, is for software companies to simply write better code.

Q&A: Want better security apps? Make vendors accountable, Geekonomics author says

Thu, 06 Mar 2008 11:00:00 +0000

Security software vendors have gotten away with writing defective and insecure code only because the market has allowed them to, according to David Rice, the author of Geekonomics.